Received: by 2002:a05:7412:8521:b0:e2:908c:2ebd with SMTP id t33csp1660903rdf; Sun, 5 Nov 2023 08:33:05 -0800 (PST) X-Google-Smtp-Source: AGHT+IF4oV1LlAPYhLfYQRLBjthcPYZADL71drxMQRH/+D+zaI6+RRIZvhvlGnctANF0bV7yGFtz X-Received: by 2002:a05:6a21:3393:b0:14c:c511:387d with SMTP id yy19-20020a056a21339300b0014cc511387dmr27722521pzb.9.1699201985094; Sun, 05 Nov 2023 08:33:05 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1699201985; cv=none; d=google.com; s=arc-20160816; b=VY9BD+rDR5VdCsdoERbHtIyInezSvD6LqufO/xPs/3cQNPVkiajcf13WEKKWmpjfgd lOT1uyh2zepQSFmIbM6VlCfMjCvmGPv+luWSjQODCS0i+NhgdcqfBqI1NV0nDU+g5Jx8 4UlAMmJJEHHckMS4NgtT5zLgTKjuUOcZJS+JsSsJyTcwkzZWLiaKWlJlJML3WUxl98QM HQ/Yxh2DhjcT7ZLsqSSxPOLmxJT+MuTNzRO8eU3FBvKqaXZV0rdQmW1d+6gfVfPPA8a/ lRQZ8kRNMwXx5l/AwUNw4L+xjdbrxQz+ZgJtCQSkHLoVPaVOk68X7cezNSQiemxLVBDw 7pJA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=l34ekIngaKcFhf0rhv3qmzlwWTTBwpnOE8ik/JX6oMg=; fh=HrMuB0qA2qw4RqBwyiyN+RBlGw+Ob1hcALwHW/PphXs=; b=FnMZokeFbdWNKOXAdNglYCokaCxosUs/4wxeZZ0VZTmRGXuW1j9V/yb/pI9zv3pgWP 5Brq5M5Kl8XPTnN0rPoIdeKqn9Bcf5kEA/5XJN1LpJSPxKnVz6oZo9U2BHO0flHELi8E XTmJU3A8f510yBaju5d46+n8n6Z6BEhhyCogxWO1w+eauoUpn0FwImEeyQLnZsgMzWTB F3o3E8teG3MrrrGhvOrlN+H2glltHn51JU1gyMFuhk9dX61sd4uqfY5xQcEjXpFJp39M 4fXgTJbd/F9098yK9NZ/Xh/D4VwmZ6gV97URoP3wlrnhFsG0kaxPkac6tUGR/UQ30c8n i1Ig== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=fBDDWQ+P; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from snail.vger.email (snail.vger.email. [23.128.96.37]) by mx.google.com with ESMTPS id om3-20020a17090b3a8300b00263860e1f4csi6641666pjb.16.2023.11.05.08.33.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 05 Nov 2023 08:33:05 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) client-ip=23.128.96.37; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=fBDDWQ+P; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id 1BD3880615FE; Sun, 5 Nov 2023 08:32:20 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229801AbjKEQcH (ORCPT + 99 others); Sun, 5 Nov 2023 11:32:07 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43876 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229669AbjKEQcC (ORCPT ); Sun, 5 Nov 2023 11:32:02 -0500 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9A878F2 for ; Sun, 5 Nov 2023 08:31:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1699201872; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=l34ekIngaKcFhf0rhv3qmzlwWTTBwpnOE8ik/JX6oMg=; b=fBDDWQ+PNi1DBFmN2XHgt1C+rInf122kO4rSAKTWOgrAcd6S6wqrn9EC63/i2gvBlIpCVX xrLi3YjNrcvJfpcMWQy8W0VDAW2RS4w7bh8PJysa9hMBCk9QyAIbj1J8MoMlyjGd0wq9Bo b8v0T0aT9r2HHNrK01SsS+EZ5tWdNNA= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-633-ILi5kzQvOwag3AnT1pmDQg-1; Sun, 05 Nov 2023 11:31:06 -0500 X-MC-Unique: ILi5kzQvOwag3AnT1pmDQg-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 93FA9810FC0; Sun, 5 Nov 2023 16:31:04 +0000 (UTC) Received: from avogadro.redhat.com (unknown [10.39.192.93]) by smtp.corp.redhat.com (Postfix) with ESMTP id 3AE452166B26; Sun, 5 Nov 2023 16:30:57 +0000 (UTC) From: Paolo Bonzini To: Paolo Bonzini , Marc Zyngier , Oliver Upton , Huacai Chen , Michael Ellerman , Anup Patel , Paul Walmsley , Palmer Dabbelt , Albert Ou , Sean Christopherson , Alexander Viro , Christian Brauner , "Matthew Wilcox (Oracle)" , Andrew Morton Cc: kvm@vger.kernel.org, linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev, linux-mips@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, kvm-riscv@lists.infradead.org, linux-riscv@lists.infradead.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Xiaoyao Li , Xu Yilun , Chao Peng , Fuad Tabba , Jarkko Sakkinen , Anish Moorthy , David Matlack , Yu Zhang , Isaku Yamahata , =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= , Vlastimil Babka , Vishal Annapurve , Ackerley Tng , Maciej Szmigiero , David Hildenbrand , Quentin Perret , Michael Roth , Wang , Liam Merwick , Isaku Yamahata , "Kirill A. Shutemov" Subject: [PATCH 02/34] KVM: Assert that mmu_invalidate_in_progress *never* goes negative Date: Sun, 5 Nov 2023 17:30:05 +0100 Message-ID: <20231105163040.14904-3-pbonzini@redhat.com> In-Reply-To: <20231105163040.14904-1-pbonzini@redhat.com> References: <20231105163040.14904-1-pbonzini@redhat.com> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.6 X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Sun, 05 Nov 2023 08:32:21 -0800 (PST) From: Sean Christopherson Move the assertion on the in-progress invalidation count from the primary MMU's notifier path to KVM's common notification path, i.e. assert that the count doesn't go negative even when the invalidation is coming from KVM itself. Opportunistically convert the assertion to a KVM_BUG_ON(), i.e. kill only the affected VM, not the entire kernel. A corrupted count is fatal to the VM, e.g. the non-zero (negative) count will cause mmu_invalidate_retry() to block any and all attempts to install new mappings. But it's far from guaranteed that an end() without a start() is fatal or even problematic to anything other than the target VM, e.g. the underlying bug could simply be a duplicate call to end(). And it's much more likely that a missed invalidation, i.e. a potential use-after-free, would manifest as no notification whatsoever, not an end() without a start(). Signed-off-by: Sean Christopherson Reviewed-by: Paolo Bonzini Reviewed-by: Fuad Tabba Tested-by: Fuad Tabba Message-Id: <20231027182217.3615211-3-seanjc@google.com> Signed-off-by: Paolo Bonzini --- virt/kvm/kvm_main.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index 0524933856d4..5a97e6c7d9c2 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -833,6 +833,7 @@ void kvm_mmu_invalidate_end(struct kvm *kvm, unsigned long start, * in conjunction with the smp_rmb in mmu_invalidate_retry(). */ kvm->mmu_invalidate_in_progress--; + KVM_BUG_ON(kvm->mmu_invalidate_in_progress < 0, kvm); } static void kvm_mmu_notifier_invalidate_range_end(struct mmu_notifier *mn, @@ -863,8 +864,6 @@ static void kvm_mmu_notifier_invalidate_range_end(struct mmu_notifier *mn, */ if (wake) rcuwait_wake_up(&kvm->mn_memslots_update_rcuwait); - - BUG_ON(kvm->mmu_invalidate_in_progress < 0); } static int kvm_mmu_notifier_clear_flush_young(struct mmu_notifier *mn, -- 2.39.1